Enabling HSTS
HSTS stands for HTTP Strict Transport Security. It is a security measure that ensures visitors can only communicate with your website via a secure connection ( HTTPS). HSTS prevents vulnerabilities such as man-in-the-middle attacks, guaranteeing that the communication between the user and your website remains secure.
Implementing HSTS
Key Considerations
HSTS Preload List
Follow these steps to easily implement HSTS:
Ensure a valid SSL certificate:
Your website must fully function over HTTPS.
Edit the .htaccess file:
Open the .htaccess file in your website’s root directory (e.g., domains/voorbeeld.cc/public_html).
If no .htaccess file exists, create one.
Add the following line:
Explanation:
max-age=31536000: browsers will enforce HTTPS for 1 year.
includeSubDomains: also applies to all subdomains.
preload: optional, for inclusion in the HSTS Preload List.
Save and close the file.
Test your website:
Verify everything works correctly, and use tools like SSL Labs SSL Test to validate your setup.
❗ Important: Only implement HSTS if your site will consistently support HTTPS.
SSL certificate required: Your website must operate fully over HTTPS.
Test on a subdomain first: To reduce potential risks.
Use a cautious max-age initially: Start with a short duration (e.g., 300 seconds).
Be careful with includeSubDomains: Ensure all subdomains support HTTPS.
Delay using preload: Preloading is difficult to undo once active.
Ensure all external resources load via HTTPS.
Monitor your website carefully after activation.
Document your changes for easy reference.
The HSTS Preload List is maintained by browsers like Chrome, Firefox, and Safari to enforce HTTPS-only access for certain domains.
Benefits:
Enhanced security: protects against network and man-in-the-middle attacks.
Faster connections: eliminates the initial HTTP request.
When to submit:
Only after thorough testing and 100% HTTPS compatibility.
Only if you intend to permanently use HTTPS.
👉 More info and submission: hstspreload.org
Implementing HSTS
Key Considerations
HSTS Preload List
Implementing HSTS
Follow these steps to easily implement HSTS:
Ensure a valid SSL certificate:
Your website must fully function over HTTPS.
Edit the .htaccess file:
Open the .htaccess file in your website’s root directory (e.g., domains/voorbeeld.cc/public_html).
If no .htaccess file exists, create one.
Add the following line:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Explanation:
max-age=31536000: browsers will enforce HTTPS for 1 year.
includeSubDomains: also applies to all subdomains.
preload: optional, for inclusion in the HSTS Preload List.
Save and close the file.
Test your website:
Verify everything works correctly, and use tools like SSL Labs SSL Test to validate your setup.
❗ Important: Only implement HSTS if your site will consistently support HTTPS.
Key Considerations
SSL certificate required: Your website must operate fully over HTTPS.
Test on a subdomain first: To reduce potential risks.
Use a cautious max-age initially: Start with a short duration (e.g., 300 seconds).
Be careful with includeSubDomains: Ensure all subdomains support HTTPS.
Delay using preload: Preloading is difficult to undo once active.
Ensure all external resources load via HTTPS.
Monitor your website carefully after activation.
Document your changes for easy reference.
HSTS Preload List
The HSTS Preload List is maintained by browsers like Chrome, Firefox, and Safari to enforce HTTPS-only access for certain domains.
Benefits:
Enhanced security: protects against network and man-in-the-middle attacks.
Faster connections: eliminates the initial HTTP request.
When to submit:
Only after thorough testing and 100% HTTPS compatibility.
Only if you intend to permanently use HTTPS.
👉 More info and submission: hstspreload.org
Updated on: 23/05/2025
Thank you!